Vapt UNIT-4
Vapt UNIT-4
Overview:
Purpose: Transfers emails between servers and clients (port 25, or 587 for submission).
Operation: Uses plain text commands (e.g., HELO, MAIL FROM, RCPT TO) to send
messages.
Common Vulnerabilities:
Open Relay:
o Misconfigured SMTP servers allow unauthorized users to send emails, enabling
spam or phishing.
o Impact: Reputation damage, blacklisting of server IP.
Email Spoofing:
o Attackers forge sender addresses due to weak authentication.
o Impact: Phishing campaigns, malware delivery.
No Encryption (by default):
o SMTP transmits data in plain text, vulnerable to eavesdropping.
o Mitigation: Use STARTTLS or SMTPS (port 465).
Command Injection:
o Attackers inject malicious commands during SMTP sessions.
o Impact: Server compromise or DoS.
VRFY/EXPN Commands:
o Allows attackers to verify user accounts or expand mailing lists, aiding
reconnaissance.
o Mitigation: Disable these commands.
Exam Tip: Focus on open relay and spoofing as primary SMTP risks. Remember STARTTLS as
a modern mitigation.
2. FTP (File Transfer Protocol)
Overview:
Purpose: Transfers files between systems (ports 20 for data, 21 for control).
Operation: Client-server model with authentication (username/password).
Common Vulnerabilities:
Exam Tip: Memorize plain text and anonymous access as key FTP flaws. Differentiate FTPS
(SSL/TLS) from SFTP (SSH).
Overview:
Common Vulnerabilities:
No Authentication:
o Anyone can access files if TFTP is exposed, leading to data leakage.
o Impact: Sensitive configs (e.g., router settings) stolen.
Plain Text Transmission:
o No encryption, vulnerable to eavesdropping.
o Mitigation: Use secure alternatives like SCP.
Directory Traversal:
o Attackers access files outside the intended directory (e.g., ../../etc/passwd).
o Impact: System compromise.
DoS Attacks:
o UDP-based nature makes TFTP prone to flooding attacks.
o Mitigation: Restrict TFTP to internal networks.
Misconfiguration:
o Exposed TFTP servers on public networks amplify risks.
o Mitigation: Firewall rules to block external access.
Exam Tip: Highlight TFTP’s lack of authentication and UDP reliance. Compare it to FTP
(authentication, TCP-based).
Overview:
Purpose: Transfers web content between clients and servers (port 80, or 443 for HTTPS).
Operation: Stateless protocol using methods like GET, POST.
Common Vulnerabilities:
Exam Tip: Focus on HTTP vs. HTTPS and application-layer attacks (XSS, SQL injection).
HTTPS is the primary mitigation.
Overview:
Purpose: Handles diagnostic and error messages in IP networks (e.g., Ping, Traceroute).
Operation: Layer 3 protocol, no port, used for network troubleshooting.
Common Vulnerabilities:
Ping Flood:
o Attackers flood a target with ICMP Echo Requests, overwhelming bandwidth.
o Impact: DoS, network slowdown.
ICMP Redirect Attacks:
o Malicious ICMP redirect messages manipulate routing tables.
o Impact: Traffic interception or blackholing.
Smurf Attack (Covered Separately)**:
o Exploits ICMP to amplify DoS attacks.
Reconnaissance:
o Attackers use ICMP (e.g., Ping sweeps) to map live hosts.
o Impact: Precursor to targeted attacks.
Tunneling:
o Attackers encapsulate malicious data in ICMP packets to bypass firewalls.
o Mitigation: Block unnecessary ICMP types.
Mitigation:
Filter ICMP traffic (allow only Echo Request/Reply for Ping).
Rate-limit ICMP to prevent floods.
Disable ICMP redirects.
Exam Tip: Understand ICMP’s diagnostic role and its abuse in DoS/reconnaissance. Link to
Smurf attack for overlap.
6. Smurf Attack
Overview:
Common Vulnerabilities:
Amplification:
o Single request generates responses from multiple devices, overwhelming the
victim.
o Impact: Network congestion, service disruption.
Broadcast Misconfiguration:
o Networks allowing directed broadcasts enable Smurf attacks.
o Mitigation: Disable IP-directed broadcasts (RFC 2644).
Spoofing:
o Attackers forge source IP, making traceback difficult.
o Mitigation: Implement ingress filtering (BCP 38).
Lack of Rate Limiting:
o Unrestricted ICMP responses amplify the attack.
o Mitigation: Rate-limit ICMP traffic.
Exam Tip: Memorize Smurf as an ICMP-based amplification attack. Key mitigations: disable
broadcast, filter spoofed traffic.
Overview:
Purpose: Lightweight, connectionless transport protocol (Layer 4).
Operation: Used by protocols like DNS, DHCP, TFTP (no handshake, no reliability).
Common Vulnerabilities:
Amplification Attacks:
o UDP-based services (e.g., DNS, NTP) respond with large packets to small
requests, amplifying DoS attacks.
o Impact: Bandwidth exhaustion.
Spoofing:
o Connectionless nature allows source IP spoofing.
o Mitigation: Ingress/egress filtering.
Flooding:
o Attackers flood UDP ports, overwhelming services.
o Impact: Service disruption (e.g., VoIP, gaming).
Lack of Encryption:
o Most UDP traffic (e.g., DNS) is unencrypted, vulnerable to interception.
o Mitigation: Use DNSSEC, QUIC.
Misconfigured Services:
o Exposed UDP services (e.g., SNMP) leak sensitive data.
o Mitigation: Firewall unused UDP ports.
Exam Tip: Highlight UDP’s connectionless nature and amplification risk. Compare to TCP
(connection-oriented, handshake).
Overview:
Common Vulnerabilities:
DNS Amplification:
o Attackers send small queries with spoofed source IP, triggering large responses.
o Impact: DoS via bandwidth exhaustion.
Cache Poisoning:
o Attackers inject fake DNS records, redirecting traffic to malicious sites.
o Impact: Phishing, malware delivery.
DNS Hijacking:
o Compromised DNS servers or configurations redirect legitimate queries.
o Mitigation: Use DNSSEC for authentication.
Zone Transfer Attacks:
o Unauthorized access to DNS zone files reveals network topology.
o Mitigation: Restrict zone transfers to trusted servers.
DoS Attacks:
o Flooding DNS servers with queries disrupts resolution.
o Mitigation: Rate-limiting, anycast DNS.
Exam Tip: Focus on amplification and poisoning as key DNS threats. DNSSEC is critical for
integrity/authenticity.
9. Ping
Overview:
Common Vulnerabilities:
Ping Flood:
o Overwhelms target with ICMP requests, consuming resources.
o Impact: DoS, network slowdown.
Ping of Death:
o Sends oversized ICMP packets (>65,535 bytes), crashing vulnerable systems.
o Impact: System crashes (patched in modern systems).
Reconnaissance:
o Attackers use Ping sweeps to identify live hosts.
o Impact: Network mapping for further attacks.
Covert Channels:
o Malicious data hidden in ICMP payloads bypasses firewalls.
o Mitigation: Block non-essential ICMP traffic.
Mitigation:
Exam Tip: Link Ping to ICMP vulnerabilities. Note Ping flood and reconnaissance as common
abuses.
Overview:
Purpose: Initiates TCP connections via SYN packets (part of 3-way handshake: SYN →
SYN-ACK → ACK).
Operation: TCP-based, ensures reliable communication.
Common Vulnerabilities:
Mitigation:
Exam Tip: Understand SYN flood as a TCP handshake exploitation. Memorize SYN cookies as
a key defense.
Key Points for Exam Prep
1. SMTP:
a. Vulnerable to open relay, spoofing, plain text.
b. Mitigation: STARTTLS, disable VRFY/EXPN.
2. FTP:
a. Plain text, anonymous access risks.
b. Mitigation: FTPS/SFTP, strong passwords.
3. TFTP:
a. No authentication, UDP-based, directory traversal.
b. Mitigation: Restrict access, use SCP.
4. HTTP:
a. Plain text (HTTP), XSS, SQL injection.
b. Mitigation: HTTPS, input validation.
5. ICMP:
a. Ping floods, redirects, Smurf attacks.
b. Mitigation: Filter ICMP, rate-limit.
6. Smurf:
a. ICMP amplification via broadcast.
b. Mitigation: Disable broadcasts, filter spoofing.
7. UDP:
a. Amplification, spoofing, flooding.
b. Mitigation: Filter ports, DNSSEC.
8. DNS:
a. Amplification, poisoning, hijacking.
b. Mitigation: DNSSEC, restrict transfers.
9. Ping:
a. Floods, reconnaissance, ping of death.
b. Mitigation: Limit ICMP, monitor traffic.
10. SYN:
a. SYN flood exhausts resources.
b. Mitigation: SYN cookies, rate-limiting.
Study Strategy
Flashcards: Create cards for each protocol, listing vulnerabilities and mitigations.
Diagrams: Draw TCP vs. UDP, or ICMP attack flows (e.g., Smurf, SYN flood).
Comparison Table:
Protocol Layer Key Vulnerability Mitigation
SMTP App Open relay STARTTLS
FTP App Plain text FTPS/SFTP
TFTP App No auth Firewalls
HTTP App XSS, SQL injection HTTPS
ICMP Network Ping flood Rate-limiting
UDP Transport Amplification DNSSEC
DNS App Poisoning DNSSEC
Practice Questions:
o Explain how a Smurf attack works and suggest two mitigations.
o Compare vulnerabilities of FTP and TFTP.
o How does a SYN flood exploit TCP? Describe one defense mechanism.
o Why is DNS amplification dangerous, and how does DNSSEC help?
o What makes HTTP vulnerable to MITM attacks, and how is HTTPS a solution?